Usage of clutter in fotocx (Was: fotoxx: Insecure use of temporary files)

Andreas Tille tille at debian.org
Sat Nov 22 09:05:33 GMT 2025 

Hi again,

it seems my effort to get fotocx is not very successfully.  While the
renamed fotocx is pending for review inside the Debian new queue (which
has an unpredictable processing time unfortunately) the old fotoxx was
removed from Debian due to this bug:

   https://bugs.debian.org/1018121

I checked the source of fotocx 25.3 (which was current at the time of my
upload to new) and found references to clutter.  Do you see any chance
to make this dependency optional or removing it at all?

Sorry that this all takes that long
    Andreas.

Am Sun, Jun 08, 2025 at 11:22:06PM +0200 schrieb Michael Cornelison:
> The next release of Fotocx will contain the following text in the
> 'copyright' file:
> >
> > Copyright and license exception:
> > The worldcities.txt file was derived from the Basic World Cities Database
> > https://simplemaps.com/data/world-cities.
> > The data is provided and licensed by Pareto Software.
> > The license for use is Creative Commons Attribution 4.0.
> > https://creativecommons.org/licenses
> 
> 
> This file is necessary for Fotocx functionality. It provides a database of
> geocoordinates by location name and country. This enables users to
> type in a location name or partial name and get the full name and
> geocoordinates added to an image file's metadata. This also enables
> the image to have a marker dot on the world map display, which is
> clickable to get a gallery of all images at or near the clicked location.
> 
> It saves much work for the user who would otherwise have to laboriously
> type-in location names and geocoordinates.
> 
> If this means that Fotocx is relegated to the "non-free" repository,
> then so be it. Thanks for your help in this matter.
> 
> regards
> Mike
> 
> 
> 
> 
> On Sun, Jun 8, 2025 at 9:21 PM Andreas Tille <andreas at fam-tille.de> wrote:
> 
> > Hi Michael,
> >
> > what exact file(s) are licensed under the NC license?  I can exclude
> > these.  If they are optional these can be provided in some data package
> > in Debian non-free.  If the files are needed for the functionality of
> > fotocx the whole package has to go to non-free, unfortunately.
> >
> > No matter what other distributions do.  If there are any restrictions
> > for the usage which is the case for the NC this can't be distributed
> > in Debian main.
> >
> > Kind regards
> >    Andreas.
> >
> > Am Sat, Jun 07, 2025 at 12:40:48AM +0200 schrieb Michael Cornelison:
> > > I will not remove the file that has the Creative Commons license. The
> > > functionality would be adversely affected. The alternative would be to
> > ask
> > > the user to download and install the file, but I prefer not to do this.
> > If
> > > this means Fotocx cannot be a Debian package, then so be it. Most of the
> > > popular distros carry Fotocx, and it remains available in source and
> > binary
> > > form on my web site. I may change my mind if this becomes a problem for
> > > other distros. Thanks for your consideration.
> > > Regards, Mike
> > >
> > >
> > > On Fri, Jun 6, 2025 at 4:02 PM Andreas Tille <andreas at an3as.eu> wrote:
> > >
> > > > Hi Michael,
> > > >
> > > > sorry for the long silence.  The change of the name of the binary
> > > > package requires passing the Debian new queue including a new
> > inspection
> > > > of the copyright of all files.  This leaded to a rejection of the
> > > > package as you can read here:
> > > >
> > > >
> > > >
> > https://alioth-lists.debian.net/pipermail/pkg-phototools-devel/2025-April/017619.html
> > > >
> > > > I wonder whether you see some chance to strip those files mentioned
> > > > in doc/copyright which are licensed as
> > > >
> > > >    Creative Commons Attribution Non Commercial Share Alike 3.0 Unported
> > > >
> > > > The "Non Commercial" is a restriction which is considered non-free in
> > > > Debian so we can't distribute the source as is.  If you consider this
> > > > not a good option for your end users I could strip down the tarball for
> > > > Debian to drop these files (which will hopefully not influence the
> > > > functionality of the software itself).  I just wanted to tell let you
> > > > know since it would be preferable to have the same tarball in Debian
> > > > as it is provided from your site.
> > > >
> > > > Kind regards and thanks a lot for your cooperation
> > > >     Andreas.
> > > >
> > > > Am Wed, Nov 06, 2024 at 09:51:12AM +0100 schrieb Michael Cornelison:
> > > > > Thanks again.
> > > > >
> > > > > Re: detect root user and exit() if root.
> > > > >
> > > > > I do not want to make a new release now, but I will add this in the
> > next
> > > > > release, planned for Jan 1 or so.
> > > > > I hope this is OK.
> > > > >
> > > > > regards
> > > > > Mike
> > > > >
> > > > >
> > > > > On Wed, Nov 6, 2024 at 9:43 AM Andreas Tille <andreas at an3as.eu>
> > wrote:
> > > > >
> > > > > > Hi Michael,
> > > > > >
> > > > > > Am Wed, Nov 06, 2024 at 07:49:41AM +0100 schrieb Michael
> > Cornelison:
> > > > > > > 'wprintp' function no longer exists.
> > > > > > >
> > > > > > > 'email_dialog_event' function no longer exists.
> > > > > > >
> > > > > > > file "/tmp/global_lock_fotoxx_syncfiles" no longer exists.
> > > > > > >
> > > > > > > The bug report says that using fotoxx as root user is necessary
> > to
> > > > > > trigger
> > > > > > > this bug.
> > > > > >
> > > > > > I *personally* admit its the users own fault to use fotoxx as
> > root, but
> > > > > > well ...
> > > > > >
> > > > > > > In fact, using fotoxx (now fotocx) as root user can do many
> > things to
> > > > > > crash
> > > > > > > or alter a running system or alter files belonging to root. What
> > is
> > > > the
> > > > > > fix
> > > > > > > for this? I could detect if running as root user and just exit.
> > Is
> > > > that a
> > > > > > > fix?
> > > > > >
> > > > > > In my eyes this is a fix, yes.
> > > > > >
> > > > > > Thanks a lot for the quick response
> > > > > >     Andreas.
> > > > > >
> > > > > > > On Tue, Nov 5, 2024 at 6:27 PM Andreas Tille <andreas at an3as.eu>
> > > > wrote:
> > > > > > >
> > > > > > > > Control: tags -1 upstream
> > > > > > > > Control: forwarded -1 Michael Cornelison <mkornelix at gmail.com>
> > > > > > > > Thanks
> > > > > > > >
> > > > > > > > Hi Michael,
> > > > > > > >
> > > > > > > > there is a ten year old bug report[1] against the fotoxx code
> > that
> > > > was
> > > > > > > > uploaded to Debian at that time.  I intend to close this bug
> > in my
> > > > next
> > > > > > > > upload but I would like to get your confirmation that the
> > problem
> > > > is
> > > > > > > > dealt with in your current code.  Please be so kind to have a
> > > > look[1]
> > > > > > > > since the issue is potentially security relevant.
> > > > > > > >
> > > > > > > > Kind regards and thank you for providing fotocx as free
> > software
> > > > > > > >    Andreas.
> > > > > > > >
> > > > > > > > [1] https://bugs.debian.org/761879
> > > > > > > >
> > > > > > > > --
> > > > > > > > https://fam-tille.de
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > --
> > > > > > > Mike
> > > > > > > kornelix.net  open source Linux apps
> > > > > > > substack <https://michaelcornelison.substack.com/>  essays
> > > > > >
> > > > > > --
> > > > > > https://fam-tille.de
> > > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Mike
> > > > > kornelix.net  open source Linux apps
> > > > > substack <https://michaelcornelison.substack.com/>  essays
> > > >
> > > > --
> > > > https://fam-tille.de
> > > >
> > >
> > >
> > > --
> > > Mike
> > > kornelix.net  open source Linux apps
> > > substack <https://michaelcornelison.substack.com/>  essays
> >
> > --
> > https://fam-tille.de
> >
> 
> 
> -- 
> Mike
> kornelix.net  open source Linux apps
> substack <https://michaelcornelison.substack.com/>  essays

-- 
https://fam-tille.de

More information about the Pkg-phototools-devel mailing list